Sun and OracleChannel SunHow to BuyLog InFrançais

User Accounts, Printers, and Mail Administration
  Rechercher uniquement dans ce livre
Aide pour la recherche
Contenues dans
Trouver plus de documentation
Ressources d'assistance comprises
 Télécharger cet ouvrage au format PDF

Administering User Accounts and Groups

2

This chapter describes tasks for administering user accounts and groups.
If you want to skip the background information that explains the concepts of administering user accounts and groups, and proceed directly to step-by-step instructions, use the following table to find the page where the instructions for a specific task begin.
Changing a User's Home Directorypage 49
How to Modify a User Accountpage 55
How to Delete a User Accountpage 57
How to Disable a User Accountpage 58
Modifying or Deleting Groupspage 58
How to Create or Change a Passwordpage 60
If you want to review background information first, read "Using Administration Tool" on page 44.
If you want background information about setting up user accounts and groups, see Chapter 1, "Setting Up User Accounts and Groups," on page 1.

About Administering User Accounts and Groups

This chapter describes how to administer user accounts and groups in a network environment. The same procedures apply to standalone systems. The method you use to administer users and groups on a network depend on whether the network is administered through a name service.
Administration Tool enables you to administer user accounts on a local or remote system or in a name service environment. With a name service like NIS+, you can manage network information in a centralized location so that important system information, such as system and user names, do not have to be duplicated on every system in the network.

Using Administration Tool

Use the following Administration Tool applications to manage user account information:
  • User Account Manager to set up and maintain user accounts
  • (R) · Database Manager to set up and maintain UNIX group information
Depending on the name service used on the network, the information defining user accounts and groups is stored in either:
  • NIS+ tables
  • NIS maps
  • Local /etc files
To avoid confusion, all three types of information will be referred to as the passwd or group file, rather than the passwd or group file, table, or map.
Note - You can view the information in NIS maps with Administration Tool, but you cannot change the information. Refer to the SunOS 4.1 system documentation for information about how to administer NIS.

Before Using Administration Tool

The following hardware and software requirements must be met before using Administration Tool:
  • SunOS 5.x software on all systems to be administered.
  • A bit-mapped display monitor - Administration Tool's applications can be used only on a system where the console is a bit-mapped screen.
  • OpenWindows software. Start OpenWindows, if necessary.

  $ /usr/openwin/bin/openwin

Required Access Privileges for Setting Up User Accounts

Table 2-1 describes the required access privileges for setting up user accounts.
Table 2-1
To Set Up User Accounts Using theThe Required Access Privileges Are:
/etc filesRoot access or membership in the sysadmin group (GID=14) on the local or remote system.
NIS+ tablesMembership in the sysadmin group (GID=14) in the NIS+ group table.

Create and destroy permissions on the NIS+ passwd, group, auto_home, mail_aliases, and cred tables. NIS+ permissions are granted by membership in an NIS+ group.
Traditional UNIX groups and NIS+ groups are separate. See Name Services Administration Guide for instructions on setting up NIS+ groups.

Using Administration Tool

Start Administration Tool from an OpenWindows window as follows.

  $ admintool &

Administering User Accounts

Administering user accounts includes modifying, removing, and disabling user accounts.

Modifying User Accounts

Unless you define a user (login) name or numeric user ID (UID) that conflicts with an existing one, you should never need to modify a user account's login name or UID.
Users' group memberships will change. User Account Manager's Modify User option lets you add or delete a user's secondary groups. Alternatively, you can use Database Manager to directly modify a group's member list.
In most companies, users transfer departments, receive promotions, change projects, and so on. You may need to change the status of these users when such an event occurs. This information is contained in the Comment field. You can modify the Comment information in the NIS+ passwd table or local /etc/passwd file for user accounts using Administration Tool's User Account Manager application.
In a network environment, you probably will move users from one system to another, and from one server to another as they are assigned new equipment or as they move from one location to another. User Account Manager lets you change the identity of a user's home directory, but it does not create the new directory, or move the contents of an existing home directory. Create the new directory, move the files to it, and then use User Account Manager to specify the new location and have the new home directory automatically mounted. In addition, if you do not use User Account Manager to set up the user's home directory, you may have to change the auto_home file that defines how to automount the user's home directory.
You can use User Account Manager to change a user's password attributes. Alternatively, you can use one of the following commands, depending on which name service (or no name service) case applies: passwd (no name service), yppasswd (NIS), or nispasswd (NIS+).

Removing User Accounts

Before removing a user account, you might consider whether you just want to lock the account to disable it. See the next section, "Disabling User Accounts."
To remove an account, you have to reverse the tasks performed to set up the account.
When you delete a user account with User Account Manager, the entries in all the files that were made when adding the account are automatically removed. All the user's entries are removed from the following:
  • passwd file
  • group file
  • auto_home file
  • mail_alias or aliases files
  • NIS+ cred table (if applicable)
In addition, you have the option to delete the files in the user's home directory and delete the contents of the user's mailbox.
If you want to delete entries from mail aliases other than the one set up to direct mail to your mailbox, you would have to delete them by hand.
Never reuse the UIDs from deleted accounts. This leaves holes in the passwd file, but minimizes security risks. However, if you have a high turnover of users (as in a university setting) you may have to reuse UIDs. In that case, "wipe the slate clean" so the new user is not affected by attributes set for a former user. For example, a former user may have been denied access to a printer--by being included in a printer deny list--but that attribute may not be appropriate for the new user.

Disabling User Accounts

Occasionally, you may need to temporarily or permanently disable a login account. The easiest way to disable a login account is to use User Account Manager to lock the password for an account. The content of the password field is changed to *LK*.
Or, on a local system, you can control access to a user's account by requiring password aging, by setting an expiration date for the login account, or by requiring that a user access the account at regular intervals. Another way that you can disable a login is to change the password.

Creating and Modifying Passwords

Passwords are an important part of system security. Each user account should be assigned a password of six to eight characters and containing a combination of letters and numbers. See Security, Performance, and Accounting Administration for detailed information about passwords and password aging. See also
passwd(1), yppasswd(1), or nispasswd(1) for information about changing passwords and password attributes (for example, maximum number of days a password is valid).
In Solaris, user information is stored in the NIS+ passwd table (or local /etc/passwd file). The encrypted password is stored in the Passwd field of the NIS+ passwd table or in the local /etc/shadow files, neither of which have general Read permissions.
You can use User Account Manager for some password administration, including clearing the password field until the user logs in for the first time, locking the account, and specifying time-outs and aging information. You can set the Password Status to prompt users to create their own password during their first login. Alternatively, you can create the password for the user and tell the user what it is before the first login.
To create passwords or modify passwords, you can also use one of these commands:
  • /usr/bin/passwd (for no name service)
  • /usr/bin/nispasswd (for the NIS+ name service)
  • /usr/bin/yppasswd (for the NIS name service)
If your network is running the NIS+ name service, you should use nispasswd, because it automatically updates the user's credentials (LOCAL and DES entries in the cred table).

Administering Groups

Administering groups means you can modify or delete groups.

Modifying or Deleting Groups

Use Administration Tool's Database Manager to add or remove users from a group. This distributed application allows you to change to the NIS+ group table or /etc/group files on the network. However, if you use Database Manager to change a user's group memberships in a network running NIS+, you have to update the user's NIS+ credentials afterward (nisaddcred local).
When you add a user account, User Account Manager lets you define the user's primary and secondary groups. You can also use the application to modify a user's account to change a specific user's membership in secondary groups. In this case, if the network is running NIS+, the user's NIS+ credentials are automatically updated to reflect his or her group memberships.
Database Manager enables you to delete groups. When projects finish, groups that are set up for those projects may no longer be needed, and you may want to delete these groups. Be careful to avoid conflicts if you reuse the GIDs from deleted groups.

Instructions for Administering User Accounts and Groups

This section provides step-by-step instructions for performing tasks related to administering user accounts and groups. For many tasks, you will find an example of user input and system output after the instructions.
This section describes how to:
  • Change a user's home directory
  • Modify a user account
  • Delete a user account
  • Disable a user account
  • Modify or delete groups
  • Create or change a password

Changing a User's Home Directory

Prerequisite
  • User's account exists
  • Root access on the systems containing the home directories
Information You Need
  • User's login name and user ID (UID)
A user's home directory can be automatically created by User Account Manager when you add a user. If you need to move a user's home directory, User Account Manager will not create the new directory nor move the contents of the old directory. You have to do both manually.
The following procedures tell you how to:
  • Create a new home directory
  • Copy the contents of an old home directory to a new home directory
  • Copy the initialization (skeleton) files into the directory and customize the user's environment as required (this procedure is not needed when copying all the files from an existing home directory to a new one)
  • Set up the mounting required to make the home directory available (this procedure is not needed when you use the AutoHome Setup option in User Account Manager)
Perform these procedures before using User Account Manager to modify the other attributes of the user account.

· How to Create the New Home Directory

Note - All the following steps apply whether the home directory is created on the local system or on a remote file server.
  1. Decide on which system to create the home directory for a user.

    If the home directory is accessed over the network, the system that provides the home directory should be on the same network segment as the user's local system. Check that there is enough space on the possible servers by using the df command.

  2. Log in to the system where you want to create the home directory.

    Usually, the system is a file server, but it can be the user's own local system.

  3. Type cd /export/home-dir and press Return. If you use a different home directory naming scheme, change to a directory where you assign users' home directories.


  # cd /export/home1
  1. Type mkdir login-name and press Return.

    Create a directory whose name matches the login name of the user.


  # mkdir ignatz
  1. Type chown login-name login-name and press Return. The user now owns the home directory.


  # chown ignatz ignatz
  1. Type chgrp primary-GID login-name and press Return. Assign the home directory to the primary group you specified in the passwd file for the user account, for example, the docia group.


  # chgrp docia ignatz
  1. Type chmod 755 /export/home-dir/login-name and press Return. Set the user's home directory permissions to rwx for owner, r-x for group, and r-x for other.


  # chmod 755 /export/home1/ignatz
  1. Allow the home directory to be shared by other systems.

    The following steps are performed once for each /export/home-dir directory reserved for users' home directories. By convention, these are named /export/home, /export/home1, /export/home2, and so on.

    a. Type share and press Return. If /export/home-dir is listed, it is already being shared, so skip to step 9. b. Edit the file /etc/dfs/dfstab and add the following line: 

share -F nfs /export/home-dir
Whenever the system reboots, the share command will run.
c. Type shareall -F nfs and press Return. This command executes all the share commands in the /etc/dfs/dfstab file, so you do not have to wait for a reboot.
d. Type ps -ef | grep mountd and press Return. If the daemon mountd is running, skip to step 9.
e. Type /etc/init.d/nfs.server start and press Return. Start the daemons required for sharing file directories.
Note - If your network is not running a network name service, like NIS+, you need to add the home directory server's Internet Protocol (IP) address and system name to the /etc/hosts file on the user's system. You can use Database Manager to edit the local /etc/hosts file.
  1. (Optional) Set up a disk quota for the user in the file system containing his or her home directory.

    This step may be warranted in a setting where disk space is limited.

· How to Move the Contents of the Home Directory

  1. Log in or use rlogin to log in remotely to the system where the old home directory resides, and become root.

    Typically the system is a server remote from the local workstation on which the directory is mounted.

  2. Type cd parent-directory and press Return.

    You want to go to the directory under which the user's home directory resides. By convention, the parent directory should be /export/home or /export/home1, and so on.

  3. To see if you have permission to access the system (if remote) where the new home directory resides, type rsh new-system date and press Return. If the date is displayed (rather than a message saying permission was denied) go to step 5.

  4. Use the rlogin command to log in remotely to the new system, add the old system's name to the /.rhosts file, then exit back to the old system.

  5. Type tar cvf - old-directory | rsh new-system cd parent-directory \; tar xvpf - and press Return

    All the files in the old directory are copied to the new directory. According to convention, the name of both the old and new directory is the same as the user name. If the new home directory is on the same system as the old home directory, just omit the rsh system portion of the command.

  1. Type rm -r old-directory and press Return.

    All the files in the old directory are deleted, and the home directory is deleted.

    The directory file for the old home directory is deleted.


  $ rlogin anthologia  
  $ su  
  $ password  
  # cd /export/home  
  # rsh infomaniac date  
  Thu Sep 3 08:49:15 EDT 1992  
  # tar cvf - tamiro | rsh infomaniac cd /export/home \; tar xvpf -  
  # rm -r tamiro

Copying Initialization Files into a User's Home Directory

Prerequisite
  • User's home directory exists
  • Root access on the system containing the home directory
Information You Need
  • Shell type (C, Bourne, or Korn) assigned to the user
Use this procedure if you do not use User Account Manager to create the home directory for a user account. If you want to move an existing user's home directory, just copy all the files (including the user initialization "dot" files) from the old to the new directory, as described in "How to Move the Contents of the Home Directory" on page 52, rather than copying the initialization files as shown in the following steps.How to Copy Initialization Files into a User's Home Directory
  1. Type cd /export/home-dir/username and press Return. You are in the user's home directory.


  # cd /export/home1/ignatz
  1. Type cp shell-init-file-directory/.* . and press Return. The user initialization files are copied from the shell-specific directory to the user's home directory. This requires the user initialization files to follow the conventions described in "Setting Up Initialization (Skeleton) Files" on page 19. You will see error messages about the "." and ".." files not being copied, which you can ignore.


  # cp /etc/skel/C/.* .
  1. Type chmod 744 .*; chown username .* and press Return. Permissions are set and the user now owns the initialization files.


  # chmod 744 .*; chown ignatz .*
  1. Type chgrp primary-GID .* and press Return. The files are assigned to the primary group (for example, sysadmin) you specified in the passwd file for the user account.


  # chgrp sysadmin .*
To set up mounting for the home directory: * See "Mounting a User's Home Directory" on page 28.
To customize the user environment: * See "How to Customize a User's Environment" on page 30.

Modifying a User Account

Prerequisites
  • Start OpenWindows, if necessary
  • Start Administration Tool, if necessary
  • Verify required access privileges
See "Required Access Privileges for Setting Up User Accounts" on page 45 for more information.
If you want to change a user's account to reference a different home directory, you should first create the new directory.
Information You Need
  • User's login name and user ID (UID)

· How to Modify a User Account

  1. Click on the User Account Manager icon.

    The Naming Service window appears.

  2. Select the name service being used to administer the network.

  3. Click on Load.

    The User Account Manager main window appears.

  4. Select the user entry to be modified.

  5. Choose Modify/View User from the Edit menu.

    The Modify User window appears.

  1. Change the information in the appropriate fields.

FieldDescription of Possible Changes
User Name and User IDChange either, or both. However, the home directory's ownership is not changed (if the home directory exists). An error message is displayed if you try to change permissions on the home directory. Manually change the ownership of all files and directories, including the mailbox, that have the old UID (on any systems to which they have migrated).
Primary GroupEnter a new name or number. A number is required when the group does not exist yet. The NIS+ cred table entries (if any) are updated.
Secondary GroupsYou can add or delete group names from the list. The group file is updated, accordingly.
CommentYou can change the text.
Login ShellYou can change the login shell program.
Account SecurityYou can change any of the account security fields. If the current password status is Normal Password, change the password by choosing Normal Password from the Password menu.
Home DirectoryYou can change the home directory name by changing the Path and Server entries. Modify User will not create a new directory or move the contents of an existing home directory. Only the information in the passwd and auto_home files are changed. If the directory indicated by the Path and Server fields exists, the Permissions buttons are activated and you can change the permissions on the directory.
AutoHome SetupA check mark shows automounting is in effect. By toggling the check mark you can either undo or set up automounting. In the latter case, fill in the Path and Server fields.
Cred. Table SetupShown only if NIS+ applies. A blank indicates credentials have not been set up. Check to add them, and, if the account has a normal password, re-enter the password to generate the DES entry.
Mail ServerYou can change the Mail Server, but the user's mailbox contents are not automatically moved by User Account Manager.
To retract your changes, click on Reset.
  1. Click on Apply.

    The user account is modified.

Deleting a User Account

Prerequisites
  • Start OpenWindows, if necessary
  • Start Administration Tool, if necessary
  • Verify required access privileges
See "Required Access Privileges for Setting Up User Accounts" on page 45 for more information.
Information You Need
  • User's login name and user ID (UID)

· How to Delete a User Account

  1. Click on the User Account Manager icon.

    The Naming Service window appears.

  2. Select the name service being used to administer the network.

  3. Click on Load.

    The User Account Manager main window appears.

  4. Click on the entry for the user account you want to delete.

  5. Choose Delete User from the Edit menu.

    The Delete User window appears.

  6. (Optional) Click on the check box to delete the user's home directory and its contents.

    User Account Manager must be installed on the system where the home directory resides.

  7. (Optional) Click on the check box to delete the user's mailbox and its contents.

    User Account Manager must be installed on the system where the mailbox resides.

  1. Click on Delete.

    The user's entries are removed from the passwd, group, aliases, cred, and auto_home files. Only the single mail alias that directs mail to the user's mail box is removed; the user name is not deleted from any other mail aliases.

    Repeat steps 2 through 7 to delete entries for other users. In addition, if you are not using a name service and want to remove the user account from the other systems, you also have to repeat step 3, and specify a different system (host) name in the Use /etc files on host field in the name service window.

· How to Disable a User Account

The steps for disabling a user account overlap the steps for modifying a user account.
  1. Perform the first three steps in the task "How to Modify a User Account" on page 55.

  2. Choose Account Is Locked from the Password menu.

    This selects the locked password status, which you use to disable the user account.

  3. Click on Apply.

    The account is locked. Actually, an invalid password, *LK*, is assigned to the account. This prevents future logins. In addition, if NIS+ is the selected name service and entries have been added to the cred table, the DES entry is removed.

    You can re-enable logins to the account by changing the password status to Normal Password or Cleared until first login.

Modifying or Deleting Groups

Prerequisites
  • Start OpenWindows, if necessary
  • Start Administration Tool, if necessary
  • Verify required access privileges
See "Required Access Privileges for Setting Up User Accounts" on page 45 for more information.

· How to Modify a Group

  1. Start Database Manager, select the group file, then select name service, and load the group file.

Note - If you have a network running only the NIS+ service, the nogroup entry is not needed.
  1. Click on the entry to be modified.

    The entry is highlighted.

  2. Choose Modify Entry from the Edit menu.

    The Modify Entry window appears, showing the current information in the group file fields for the group.

  3. Add user names to, or remove user names from, the Members List text field.

    If you make a mistake or change your mind, click on Reset and retype the information.

  4. Click on Modify.

    The group file is modified. Repeat steps 1 through 5 to modify additional groups. If you are not using a name service and want to modify the groups on other systems, you also have to repeat step 1, and specify a different system (host) name in the Use /etc files on host field in the Load Database window.

  5. (Optional) If the network is running the NIS+ service and credential entries have been added to the cred table, type

    nisaddcred -P username.domainname local and press Return. This updates the NIS+ local credentials for a user. Repeat this step for each user name added to, or removed from, any group's member list, so his or her credentials will reflect the new group memberships.

· How to Delete a Group

The steps for deleting a group are almost the same as the steps for modifying a group.
  1. Perform the first four steps from the task for modifying a group (see page 58).

  2. Click on the entry to be deleted.

    The entry is highlighted.

  3. Choose Delete Entry from the Edit menu.

  4. Click on Delete.

    The group is deleted from the group file. Repeat steps 2 through 4 in this task to delete other groups. If you are not using a name service and want to delete the groups on other systems, you also have to repeat step 1 in the section "How to Modify a Group" on page 59, and specify a different system (host) name in the Use /etc files on host: field in the Load Database window.

  5. (Optional) If the network is running NIS+ and credential entries have been added to the cred table,

    type nisaddcred -P username.domainname local and press Return. This updates the NIS+ local credentials for a user. Repeat this step for each user name that was included in the group's member list, so his or her credentials will reflect the changed group memberships.

· How to Create or Change a Password

Users can create or change their own password at any time. You must be root to create the initial password or change the password for any other user. In addition, to create an NIS+ password you must have the appropriate NIS+ privileges and you must have established the necessary network-wide credentials (see nispasswd(1)).
You can also use passwd to define, change, and view password attributes, like password aging. See passwd(1) for more information.
Note - Do not include a colon (:) in new passwords.
To create an NIS+ password: 1. Become root on the NIS+ server.
  1. Type nispasswd username and press Return. The prompt New password: is displayed.

  2. Type the new password and press Return.

    The prompt Retype new password: is displayed.

  3. Retype the password and press Return.

    The password is assigned and added to the NIS+ passwd table. You can also use nispasswd to define, change, and view password attributes, like password aging. See nispasswd(1) for information.


  [70]saturn % su  
  Password:  
  saturn # nispasswd ignatz  
  New password:  
  Retype new password:  
  saturn #
To change an NIS+ password: 1. Become root on the NIS+ server.
  1. Type nispasswd username and press Return. The message Changing NIS+ password for username on NIS+ server is displayed and the prompt Old password: is displayed.

  2. Type the old password and press Return.

    The prompt New password: is displayed.

  3. Type the new password and press Return.

    The prompt Re-enter new password: is displayed.

  1. Retype the password and press Return.

    The password is assigned and added to the NIS+ passwd table.


  [26]mercury }% su  
  Password:  
  mercury # nispasswd ignatz  
  Changing NIS+ password for ignatz on NIS+ server  
  Old password:  
  New password:  
  Re-enter new password:  
  mercury #
You can also use nispasswd to define, change, and view password attributes, like password aging. See nispasswd(1) for more information.
To create an NIS password: 1. Become root on any system in the NIS domain.
  1. Type yppasswd username and press Return.

    The message Changing NIS password for username and the prompt New password: are displayed.

  2. Type the new password and press Return.

    The prompt Retype new password: is displayed.

  3. Retype the password and press Return.

    The password is assigned and added to the NIS master file. It may take a few minutes for the new password to be set up on all the NIS servers and clients.


  [70]jupiter % su  
  Password:  
  jupiter # yppasswd ignatz  
  Changing NIS password for ignatz  
  New password:  
  Retype new password:  
  NIS entry changed on eucalyptus  
  jupiter #
To change an NIS password: 1. Become root.
  1. Type yppasswd username and press Return. The message Changing NIS password for username and the prompt Old yp password: are displayed.

  2. Type the old password and press Return.

    The prompt New password: is displayed.

  3. Type the new password and press Return.

    The prompt Retype new password: is displayed.

  4. Retype the password and press Return.

    The message NIS entry changed on nis-server is displayed, and the password is assigned and added to the NIS master file.


  [26]neptune }% su  
  Password:  
  neptune # yppasswd ignatz  
  Old password:  
  New password:  
  Retype new password:  
  NIS entry changed on eucalyptus  
  neptune #
To create a local password: 1. Become root.
  1. Type passwd username and press Return.

    The prompt New password: is displayed.

  2. Type the new password and press Return.

    The prompt Re-enter new password: is displayed.

  1. Retype the password and press Return.

    The password is assigned and added to the /etc/shadow file.


  [70]terra % su  
  terra # passwd ignatz  
  New password:  
  Re-enter new password:  
  terra #
You can also use passwd to define, change, and view password attributes, like password aging. See passwd(1) for more information.
To change a local password: 1. Become root.
  1. Type passwd username and press Return.

    The prompt New password: is displayed.

  2. Type the new password and press Return.

    The prompt Re-enter new password: is displayed.

  3. Retype the password and press Return.

    The password is assigned and added to the /etc/shadow file.


  [26]luna }% su  
  Password:  
  luna # passwd ignatz  
  New password:  
  Re-enter new password:  
  luna #